/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsBANGALORE: As enterprises are increasingly moving data to cloud they are relaying on Web applications more than ever. However, lack of security in these applications have become a serious issue that can result in business down time and also loss of reputation.
Abhay Bhargav, CTO, we45 Solutions India Pvt. Ltd, an Information security solutions company, talks about the various security issues surrounding the web applications.
Q: How do you rate security in web applications?
Abhay Bhargav: When its comes to application security, enterprises have a systemic failure. Generally, managements doesn't focus on security hence it is not driven lower down the order. As a result of security weak architecture developers and testers ignore security aspects. So, first the business owners should understand that if applications are attacked and breached it can result in a major loss of data, revenue and reputation.
Security should be a key design requirement and security has to be embedded into functionality. It should not be seen as a separate element of the application. Once design is finalised business managers have to enforce secure coding practises with the developers.
At each stage when code is reviewed it should be done for security aspect also.
Also read: Sony data breach raises questions about cloud security
Q: What are the security checks required post development?
Abhay Bhargav: Once the development is done testing done for security also and not only for performance and functionality.
Applications need to be tested to ensure one user is not allowed to capture another users session and capture data, weather the administrators account is compromised and things like that.
While testing for security one need to use abuse cases. Where you try and manipulate the used case to check if someone can hack your application. Applications need to be security tested once more before the soft launch too.
Q: How do you rate security in web applications deployed by enterprises?
Abhay Bhargav: One of the major issues with enterprises today is that they are adopting web applications in a big way but most of them are not even tested for security. My observation is that 70 per cent of the time the web applications deployed by enterprises are vulnerable.
In fact when we test , we are finding 8 out of every 10 applications to be vulnerable. This is one of the major issue facing the enterprises.
Q: What are the other key security challenges facing enterprises today?
Abhay Bhargav: Another key challenge is to continuously monitor the infrastructure for security breaches. Because most enterprises lack a consistent monitoring system.
They might be having certain degree of prevention, but detection of any attack and stopping it when it is happening is extremely important. So Log management, intrusion detection is often neglected. Event tome there may be log details it is usually very basic which wont tell much. May times logs are not even time sincronized or put them under the scope of some devices.
Q: How justified is the higher costs of adopting security solutions?
Abhay Bhargav: Culture of information security in the company. May of org Info security as a value add. They see it as added cost. Security allows enterprises to function without .loss of processing time. For example if a company has put valuable R&D on a web app without proper security and somebody steels it it can result huge losses.
The return on investment is that you (a business) don't get hacked. It is like investing 20 thousand rupees on a door to protect assets worth lakhs of rupees in a house.